2

Is it possible to prevent a USB sound card, that's infected with BADUSB, from damaging my computer? In particular, if I can limit the sound card to only act as a sound card, and not something else like a keyboard, can it do any damage as a sound card? I know if it tells my computer it's a keyboard, it can type stuff in. But I'm wondering what kind of problems a sound card could cause.

edit: I don't know if the card is infected, but I don't want to take any chances. And it's not easy to just replace it, because it has some modifications. If this doesn't work, I'll buy another one, and try modifying it myself. But I'm hoping I won't have to.

another edit: I'm not really worried about physical hardware damage, I'm mainly concerned with things like software and firmware problems. And I suppose I wouldn't be too happy if it had some kind of embedded transmitter, used for spying. But I'm mainly concerned with how it could use my existing hardware, like my internet connection. Also, I could use either windows or linux.

edit #3: The sound card was already modified when I bought it. And my concern isn't that something else will infect the sound card. I'm concerned that the card could have been infected, before I bought it, like any USB device that doesn't come from a known, trusted source (if there even is such a thing). So I'm trying to understand what kind of threat this card could be, if I can limit it to only functioning as a sound card.

edit #4: I'll try again to clarify what I'm asking. I bought a modified USB sound card from a source that I can't verify is trustworthy. The source could be trustworthy, but since I have no way of knowing that, I'm going to assume they aren't, and that they infected the firmware with some kind of BADUSB exploit. I'm also assuming I could do something through the operating system (probably linux, but maybe windows) to limit the card from only doing stuff that a sound card can do (not a keyboard, network card, or anything else). So my questions is, can this supposedly compromised USB sound card, that can't pretend it's anything except a USB sound card, do anything bad to my computer? If that doesn't make sense, I give up, but I do appreciate the effort. And all answers have been helpful, even if they haven't answered my question.

Dan
  • 55
  • 5
  • You really need to say which OS you care about. Tricks that might be possible in one OS, may not generalise. Also physical damage cannot be ruled out. For example, pumping a 220V spike in over the power or data lines is likely to fry something, so do you need to worry about more than virus infections? – Paul Wagland Nov 06 '15 at 20:09
  • Related question: [*How to prevent BadUSB attacks on Linux desktop?*](https://security.stackexchange.com/questions/64524/how-to-prevent-badusb-attacks-on-linux-desktop) – StackzOfZtuff Nov 16 '15 at 08:38

2 Answers2

1

The direct answer to your question is pretty straightforward and reassuring, I think. That being: There is no apparent evidence that any actual, in-the-wild attacks have occurred where malware has written to the firmware of a sound card. (Meaning I don't recall ever having read of a confirmed case of that happening, and some searching on Google revealed no such confirmed cases either.) In fact, I haven't even read of or discovered any proof of concept cases where that has been demonstrated. (Note: If anybody knows of any source that documenting otherwise please feel invited to share it in the comments.)

And really, I don't know that that lack of documented cases is terribly surprising. Discrete sound cards really aren't that common in today's PCs, and if you wanted to write malware that could hide in a sound card's firmware you'd probably have to have to develop and test different code for each make and model of each card you wanted to be able to infect. A bit like the NSA had to do with its hard drive firmware-infecting efforts. So, perhaps it makes some intuitive sense that we haven't yet seen malware that tries to persist in sound card firmware.

So, from a practical standpoint I don't think badusb-like firmware infection is really something that's worth devoting any real worry to. There's no indication that any malware trying to use that approach is running around out there in the wild (at this point, anyway), let alone anything prevalent enough to necessitate taking the course of junking a partly-customized sound card out of fear of it.

That being said... I'll close with two caveats:

  1. Rewriting the firmware of internal PC components is indisputably possible, and has (although rarely) actually occurred in the wild. Aside from stuff that hits main BIOS or UEFI, security researchers have indeed done proof of concept demonstrations of firmware-alteration in network cards. There is some indication that USB host controllers are quite viable targets, and possible attacks on internal components in general have often been written about as feasible. And, as mentioned above there is open source confirmation that highly-targeted, real-world attacks involving hard drive firmware alteration have occurred. So it's not really that sound card firmware-alteration would be an out-of-the-blue, amazing new technical surprise.

    1. If you're a target worth detailed attention from the NSA or other very-high-end nation-state threats then pretty much any theoretically plausible attack has to be considered as something you need to be on guard against. And getting the firmware on a sound card altered by sophisticated, persistent malware would definitely be in the category. On the other hand, it you were a target of such importance the question of whether or not to junk a sound card would probably be pretty far down on your very, very, very long list of security matters to worry about.

So, you would almost certainly be just fine.

edit: Replying to question's edit #3:

Yeah, I think we are talking about the same thing, although in slightly different ways and terms. If I understand you you're asking about whether a good, correctly-operating sound card can get a malware infection of some kind and afterward turn into a maliciously operating perhipheral that tries to lie to your computer that it's a USB keyboard (or another Human Interface Device) and start feeding it "key presses" that, say, open a command prompt and enter commands into the system, right?

Well, the way that that malicious attack happens with something like a USB drive is that the firmware on the drive that tells the drive what it's supposed to do has to get overwritten with new instructions. That's why a USB drive can start to act like a keyboard or other human interface peripheral: because the overwritten, maliciously-changed firmware tells it to. (More details about exactly how that works to make badUSB possible are here.) Unless you can correctly rewrite the firmware for a USB drive to do what you want to do, create an attack that alters the firmware of USB drives you want to turn malicious, and finally expose a USB drive to that attack something like badUSB can't happen.

Basically the same thing is like case with stuff like BIOS chips in PCs, or with network cards, or hard drives, or graphics cards, or, yes, sound cards. And that's where you get to what my answer discusses: while it might be theoretically possible that an attacker could pull off what you suggest, there's no evidence right now that any such attacks have occurred in real life with sound cards.

edit: replying to question edit #4

Okay, so I think I'll give an answer one more quick shot here. I have reread the question and the subsequent edits with care. Although I'm still not exactly quite sure why we're not on the same page, perhaps one more quick effort can fix that. So...

First, If the question you're asking is: "Assume this USB sound card has somehow been infected by BADUSB or something very like that.. could it do these BadUSB attack things?" I suppose the only responsible answer I could give with be: if something can be infected by BadUSB, one really should err on the safe side and assume that it could act like BadUSB. Meaning it could potentially spread nastiness to a PC or device that you might plug it into.

Still assuming the card is infected with BADUSB, if you wanted to use it anyway you might ask "Are there things that I might do that might lessen or almost eliminate the risk that my PCs and other devices might get infected with badUSB themselves from the sound card?" Well, I think the answers to this question and this question address that more comprehensively than I could. So I'll just point to those, aside from offering the generic observation that introducing any element that you know to be infected with malware to your technical setup invariably brings at least some degree of risk with doing so. Even if good countermeasures & mitigations are available to reduce that risk, that's a different thing from eliminating that added risk altogether.

But all of what I just said is based on starting with that one absolutely critical assumption: that your recently acquired USB sound device is infected with BadUSB or something like it. And to reiterate what I said previously: As you've laid out the facts there is a very, very, very low likelihood that that is actually true in your case. There is no recorded incidence (That I've found, anyway. Or that anyone else has mentioned.) of an infected USB sound card occurring anywhere, either in the wild or even in a researcher's lab. At all. Thus, my original non-advice advice: unless you would be a target of exceptional importance to some person or organization with major, major technical chops worrying about the firmware in your purchased USB sound card being infected with anything almost certainly isn't worth expending the mental energy to do so.

Community
  • 1
mostlyinformed
  • 2,715
  • 16
  • 38
  • I'm still not sure you understood my question, so I added edit #4. If you try to answer again, please read it very carefully. Otherwise, thanks for trying. Your answers help, even if they don't answer my original question. – Dan Nov 15 '15 at 01:18
  • @Dan I took one more crack at it. I think at this point my answers & edits have covered pretty much every aspect of how & whether USB devices, sound cards, and USB sound cards can have their firmware infected/overwritten with malicious firmware, along with how & whether they can spread that infection to other devices and/or impersonate a Human Interface Device (like a keyboard or mouse). To sum up: the chances that your USB sound card is actually infected with some malware like that is so low that it's probably not worth worrying about as any kind of realistic possibility. – mostlyinformed Nov 16 '15 at 06:59
  • I think the only thing we *haven't* covered is physical alterations to the card so that it actually becomes something like the famous/infamous "rubber ducky" USB hacking device that looks on the outside like a ordinary USB stick: http://hakshop.myshopify.com/products/usb-rubber-ducky-deluxe?variant=353378649 . But making such alterations to the physical circuitry of a USB sound card to act like such a HID/hacking tool would, again, require quite a bit of technical skill and effort on the part of a sophisticated attacker. Like a nation-state-level attacker. – mostlyinformed Nov 16 '15 at 07:16
  • Your latest answer is helpful again, but unfortunately still misses the point of my question. A hypothetical, fictitious answer, would be something like: An infected USB device, acting as a sound card, could emit sound data that's really a list of instructions, that get executed, because of a defect in the thing that processes sound data. As opposed to a sound card, that pretends it's also a keyboard, and types in stuff it shouldn't be typing in. Anyway, I think I'll get around the possible problem another way. – Dan Nov 18 '15 at 04:18
  • And unfortunately, I don't think the possibility of a problem is small in this case. – Dan Nov 18 '15 at 04:18
  • Re. your scenario, some security researchers *have* used information encoded in sound pulses--pulses outside the range of normal human hearing, for obvious reasons-- to allow communication between devices separated by an air gap (ie. with no wired or wireless connectivity between them). But every lab situation where that has been demoed so far has involved two devices that were *pre-infected* by malware. In other words, AFAIK no uninfected device has ever been compromised in the first place by information carried via sound waves, even in the lab. Though, again, it is theoretically possible. – mostlyinformed Nov 18 '15 at 04:39
  • Well, I'm glad my input was helpful, anyway. Good luck with your situation; it sounds like you consider yourself to be up against a highly-capable possible adversary, which is always a difficult place to be. Glad you may have a way to get around the risks you're worried about. – mostlyinformed Nov 18 '15 at 04:43
  • That sound pulse thing is interesting. But in my case there wouldn't be anything else to communicate with, that I'd be worried about. I'm not any kind of valuable target, worthy of someone sitting outside my house with a listening device. But the people I bought the sound card from, wouldn't know that. And I'd rather keep as much spyware, etc. off my computer as possible. It's bad enough having to trust windows. – Dan Nov 18 '15 at 04:57
1

If you have the USB sound card, or for that matter any USB device, it is not impossible for it to enumerate malicious virtual peripherals (MVPs). While no known attacks published in the wild, it does not guarantee the non-existence of such peripherals. A virtual keyboard is an obvious MVP, but a network card could be an even worrisome MVP.

I could think of at least one way to ensure the card is not enumerating any MVPs - observe system logs. Depending upon OS,

  1. Open up the system log (e.g. /var/log/syslog on Linux) or open a device manager (e.g. Device Manager in MS-Windows), without the device-under-test (DUT) connected.
  2. Connect the DUT and we could note all the peripherals it is enumerating.

The log has obvious advantage in this case: any short lived MVPs may not be visible in the device managers, but logs will have evidences of their enumeration and disconnect.

Caveat: It appears to be, theoretically, possible to silently enumerate MVPs, but I only saw it in theory. In such cases, I guess it'll be more of an elaborate and systematic attack to compromise target system. Only a security expert (or a team) could identify and neutralize such attacks.

Vasu
  • 56
  • 2